Frequently Asked Questions
On April 11, 2018, an unauthorized individual was able to gain access to one email account for a single HealthEquity employee. HealthEquity discovered the unauthorized access on April 13, 2018, and eliminated the individual’s access to the email account. However, during the time that the individual had access to the account, he may have downloaded a copy of emails contained within. Included in the inbox are documents that contained personally identifiable information and/or protected health information for some of the employees for whom we administer flexible spending accounts or health care reimbursement accounts or for accountholders for whom we administer health savings accounts. Impacted individuals will receive a letter from HealthEquity if they are affected.
What is HealthEquity doing in response to this?
Upon learning of this incident, HealthEquity moved quickly to take action:
• With the assistance of a third-party forensic firm, we launched an investigation to determine what may have happened and to confirm the security of our systems.
• We reported the incident to law enforcement.
• HealthEquity has taken additional actions to strengthen the security of its email systems moving forward, including the implementation of technical security measures and retraining and reeducation of its workforce.
What is HealthEquity offering to do to help me?
We are offering identity theft protection services through ID Experts®, a data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: Credit Monitoring, Cyberscan Dark Web Monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed identity theft recovery services. Information on how to enroll in these services and the duration of services is contained in the notice you received in the mail.
Has any identity theft or fraud been reported as a result of this?
No, we have not received any reports of identity theft or fraud.
Who is HealthEquity? Why do they have my information?
HealthEquity is one of the nation’s largest providers of health savings accounts (HSAs) and reimbursement arrangement services (Flexible Spending Accounts, Health Reimbursement Accounts, Limited Purpose Flex Spending Accounts, and Dependent Care Reimbursement Accounts, etc.). HealthEquity provides reimbursement arrangement services to employees of your employer, and your information was provided to HealthEquity in connection with the services we provide.
How can I be sure my information is secure with you now?
HealthEquity has taken additional actions to strengthen the security of its email systems moving forward, including the implementation of technical security measures and retraining and reeducation of its workforce.
Why am I only hearing about this now if it happened on April 13th?
Immediately upon learning of the email account compromise, HealthEquity launched an investigation with the assistance of a third-party forensic investigation firm to determine the nature of the account compromise and analyze the contents of the mailbox. This was an extensive investigation conducted over several weeks.
What can I do to better protect myself against identity theft and fraud?
While we are unaware of any identify theft or fraud resulting from this event, we encourage you to monitor your identity, financial accounts, and credit reports. General steps you can take to protect against identity theft and fraud include:
• Enroll to receive the monitoring services we are offering you. Instructions on how to do so are contained in the letter we mailed to you.
• Review your account statements regularly for suspicious activity, and report all suspicious or fraudulent activity to your provider or financial institution.
• Review your credit report for suspicious or fraudulent activity. You are entitled to one free credit report a year, and can request this report from either www.annualcreditreport.com, which can be reached at 1-877-322-8228, or from the consumer reporting agencies. Experian can be reached at: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. Equifax can be reached at: PO Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com. TransUnion can be reached at: PO Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com.
• Place a fraud alert on your credit reports, which will tell creditors to take extra steps to verify your identity prior to granting credit in your name. To do so, reach out to one of the consumer reporting agencies, and they will communicate amongst each other to notify of the fraud alert once it is placed. Experian can be reached at: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. Equifax can be reached at: PO Box 105069, Atlanta, GA 30348, 800-525¬6285, www.equifax.com. TransUnion can be reached at: PO Box 2000, Chester, PA 19016, 800¬680-7289, www.transunion.com.
• Place a security freeze on your credit reports, which will prohibit the release of information relating to you by a consumer reporting agency without your written authorization. To place a security freeze, you must contact each of the consumer reporting agencies directly, and the contact information to do so is different than the contact information to place a fraud alert. Experian can be reached at: PO Box 9554, Allen, TX 75013, 888-397-3742, www.experian.com/freeze/center.html. Equifax can be reached at: PO Box 105788, Atlanta, GA 30348, 800-685-1111 (NY residents: 800-349-9960, www.freeze.equifax.com. TransUnion Fraud Victim Assistance can be reached at PO Box 2000, Chester, PA 19016, 888-909-8872, www.transunion.com/credit-freeze/place-credit-freeze.
• Contact your Attorney General or the Federal Trade Commission for additional information on what you can do to protect against identity theft. The FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.ftc.gov/idtheft/; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.
• Report incidents of fraud and identity theft to law enforcement.
• Monitor for misuse of Social Security Benefits. You can create an account at https://www.socialsecurity.gov/myaccount/ to monitor for any actual or attempted misuse. If they see an error or attempted misuse of social security benefits, you can go to your local Social Security Office for assistance. Local offices can be found using the following office locator https://secure.ssa.gov/ICON/main.jsp.
Should I check my credit report?
We encourage you to always monitor your credit report for suspicious activity. Every U.S. consumer over the age of eighteen with credit issued in their name can receive a free copy of their credit report on an annual basis from the consumer reporting agencies. You can contact the agencies directly or contact the Annual Credit Report Service by calling, toll-free, 877-322-8228 or visiting www.annualcreditreport.com. If you’d like to contact the agencies directly, you may reach out to Experian, Equifax, or TransUnion. Equifax’s contact information is: PO Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com. Experian’s contact information is: PO Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com. TransUnion’s contact information is: PO Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com.
What is the purpose of a fraud alert?
A fraud alert tells creditors to contact you before they open a new credit account under your Social Security number.
What is the purpose of a credit freeze or security freeze?
A security freeze or credit freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
If you have been the victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you a fee that varies by state to place, temporarily lift, or permanently remove a security freeze.
To place a security freeze on your credit report, you must send a written request to each of the major consumer reporting agencies: Equifax (www.equifax.com), Experian (www.experian.com), and TransUnion (www.transunion.com) by regular, certified or overnight mail to the addresses below:
Equifax Security Freeze Experian Security Freeze TransUnion
P.O. Box 105788 P.O. Box 9554 P.O. Box 2000
Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19016
1-800-685-1111 1-888-397-3742 1-888-909-8872
www.freeze.equifax.com www.experian.com/freeze www.transunion.com/credit-freeze
In order to request a security freeze, you will need to provide the following information:
1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
8. If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit file report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both, that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.